netwire | 3afedea501a9bca64d1d400f5e3aa79e1f0d359a035d84569c123d49458425f2

General

Target

5bdd4de824d48d14df40bce7f7709ad1.exe
Size

1.3MB
MD5

5bdd4de824d48d14df40bce7f7709ad1
SHA1

8cc562f26e24660ad2f7a5e88e8172e7718e6bf8
SHA256

3afedea501a9bca64d1d400f5e3aa79e1f0d359a035d84569c123d49458425f2
SHA512

0d86196c36031429db86134c541fe86c800fcf83765b92b0a66c81e10774f26339dc905fa184107a3871c837fb1c1cb8b518409d0cef3bd3402de820db8c5cba
SSDEEP

24576:AAOcZwdf+OD0+t2drJGlFN5SoRS7NVzxYOKdfA/i6A3Xc6z1F/i4:efU8lJS7PKdo43M6z1F/V

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Extracted

Family

netwire

C2

harold.ns01.info:3606

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
Netwir
keylogger_dir
%AppData%\Logs\
lock_executable
false
mutex
pHJVBoFH
offline_keylogger
true
password
master12
registry_autorun
false
use_mutex
true

Signatures

NetWire RAT payload 4 IoCs

rat

resource	yara_rule
behavioral2/memory/1008-50-0x0000000000B00000-0x0000000001128000-memory.dmp	netwire
behavioral2/memory/1008-52-0x0000000000B00000-0x0000000001128000-memory.dmp	netwire
behavioral2/memory/1008-53-0x0000000000B00000-0x0000000001128000-memory.dmp	netwire
behavioral2/memory/1008-54-0x0000000000B00000-0x0000000001128000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	5bdd4de824d48d14df40bce7f7709ad1.exe

Executes dropped EXE 1 IoCs

pid	Process
4672	odebgj.pif

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\29240433\\odebgj.pif C:\\Users\\Admin\\AppData\\Local\\Temp\\29240433\\uasn.rru"	odebgj.pif

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4672 set thread context of 1008	4672	odebgj.pif	94

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeManageVolumePrivilege	3928	svchost.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3120 wrote to memory of 4672	3120	5bdd4de824d48d14df40bce7f7709ad1.exe	90
PID 3120 wrote to memory of 4672	3120	5bdd4de824d48d14df40bce7f7709ad1.exe	90
PID 3120 wrote to memory of 4672	3120	5bdd4de824d48d14df40bce7f7709ad1.exe	90
PID 4672 wrote to memory of 1008	4672	odebgj.pif	94
PID 4672 wrote to memory of 1008	4672	odebgj.pif	94
PID 4672 wrote to memory of 1008	4672	odebgj.pif	94
PID 4672 wrote to memory of 1008	4672	odebgj.pif	94
PID 4672 wrote to memory of 1008	4672	odebgj.pif	94

C:\Users\Admin\AppData\Local\Temp\5bdd4de824d48d14df40bce7f7709ad1.exe
"C:\Users\Admin\AppData\Local\Temp\5bdd4de824d48d14df40bce7f7709ad1.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3120
- C:\Users\Admin\AppData\Local\Temp\29240433\odebgj.pif
  "C:\Users\Admin\AppData\Local\Temp\29240433\odebgj.pif" uasn.rru
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:4672
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    PID:1008

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:4048

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\29240433\odebgj.pif

Filesize
576KB

MD5
a46a200d2e80ebc156f106e601304954

SHA1
076fea4fd2ab73974b99da43c5599477e6b95dbf

SHA256
41367c7c673ddb8de61ea04dfbcfe19af713becb4fa443742167964924b12e7e

SHA512
e12b826f25803c46fcffe08b5f3db50e99d0ac8575f9021787a9a1ad0949a3b10dac5b267b08d4be709e43ef008928f5a8bcdb2508648ddc5d860669751f97ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\29240433\odebgj.pif

Filesize
329KB

MD5
217600518a3fe5eabfe659a6fd21526a

SHA1
dc966a77251ceb911f4896d15f07432ad40e9321

SHA256
d2ee980f32cc95d3fc97020a7f87ec97ae32886ded30028d7ab8bd11522bee2e

SHA512
380c421dbcc4b54d4a88c5b96c4998d9590a00e870e6558feda786a8d4b12fdff723eab5c006915311636d797d3f21b6c2035dde0aa38d94cce6de9135697c1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\29240433\trjhqtktm.log

Filesize
379KB

MD5
7b7eee3744afb2b32646da464c3ffbf7

SHA1
0dc248b0d126345578c923596589f4ca743458fe

SHA256
5356086516db6088fdfa009be3269c82f873a5bf9c48250a01c236c55d2b4529

SHA512
52f3a87e718cda89d0b20e4b22f39180738dd17789cb81ed465db9a3cd82f27ad42808dfc61bbdf3fdd50d50bc6775639254f17417c590cef2a258425d480ce0

Download Submit
C:\Users\Admin\AppData\Local\Temp\29240433\uasn.rru

Filesize
8.2MB

MD5
44efcadff66ff59419e935d780d20968

SHA1
1226fa389a3b40abf54d6588918d68a4cd1cff3d

SHA256
e4e5d9a5c69a56fcd5e688e61bb2055db6d348c1ef1ce6f15aa5caf6c2cb740b

SHA512
f4eb71cb23a70b94f8a15a46745b582049c530860169692a0351a0bf887399f6b7c448facd2ebe68889d54b9fe3ecc824caa91ea07ea926ff93499eee29733c2

Download Submit
memory/1008-53-0x0000000000B00000-0x0000000001128000-memory.dmp

Filesize
6.2MB

Download
memory/1008-52-0x0000000000B00000-0x0000000001128000-memory.dmp

Filesize
6.2MB

Download
memory/1008-50-0x0000000000B00000-0x0000000001128000-memory.dmp

Filesize
6.2MB

Download
memory/1008-54-0x0000000000B00000-0x0000000001128000-memory.dmp

Filesize
6.2MB

Download
memory/3928-55-0x0000026C58040000-0x0000026C58050000-memory.dmp

Filesize
64KB

Download
memory/3928-71-0x0000026C58140000-0x0000026C58150000-memory.dmp

Filesize
64KB

Download
memory/3928-87-0x0000026C60420000-0x0000026C60421000-memory.dmp

Filesize
4KB

Download
memory/3928-89-0x0000026C60450000-0x0000026C60451000-memory.dmp

Filesize
4KB

Download
memory/3928-91-0x0000026C60560000-0x0000026C60561000-memory.dmp

Filesize
4KB

Download
memory/3928-90-0x0000026C60450000-0x0000026C60451000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads